Event 1022 - Windows Restrictions
- Logged Message
- What Is It?
- When Is This Event Logged?
- Example
- Remediation
- Related topics
Logged Message
Windows Internet Explorer 8 and Windows Internet Explorer 7 for Windows XP with Service Pack 2 (SP2) and Windows Vista place some restrictions on windows to prevent hidden information and user-interface spoofing. Windows Internet Explorer Windows Restrictions are designed to prevent a scripted window from obscuring the Internet Explorer title bar, Address bar, and status bar. Window Restrictions affect several Dynamic HTML (DHTML) scripting commands, such as the window.open (with chrome) and window.createPopup (chromeless) methods.
What Is It?
In Internet Explorer, scripts can open two different types of windows and can resize and reposition existing windows. Malicious coders have used these script-opened windows and the script-driven window positioning to mislead and deceive users. The Window Restrictions security feature in Internet Explorer now restricts the opening and placement of windows by script to prevent malicious coders from misleading users. These restrictions include constraints on new Internet Explorer windows created by the window.open method and HTML pop-up windows created by the window.createPopup method. This also includes positioning and sizing of Internet Explorer windows. By understanding Window Restrictions and how they work, you can write your scripts so that your webpages function as expected.
When Is This Event Logged?
This event is logged when an attempt is made to hide user interface elements through script.
Example
Perform the following steps to see this event logged in the compatibility tool:
Create a webpage with the following contents. For this example call it 1022.html.
<html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Windows Restrictions Example</title> </head> <body> <form id="form1" > <div> <a href="#" onclick="window.open('Popup.html','_blank','height=400,width=400,top=2000');">Open</a> </div> </form> </body> </html>
Create another webpage with the following contents. For this example call it Popup.html.
<html xmlns="http://www.w3.org/1999/xhtml" > <body> <div> <p>Pop-up Example</p> </div> </form> </body> </html>
Install the files in the root directory of the local web server. On a Microsoft Internet Information Services (IIS) server this means putting the file in this directory:
.\wwwroot
Browse to the file:
http://127.0.0.1/1022.html
Click the "Open" hyperlink.
The code invoked by the link attempts to create a popup window that is situated off-screen. This is prevented by the Windows Reuse Navigation Restriction. Internet Explorer forces the pop-up window to appear in the viewable area of the desktop and the event is logged to the compatibility tool.
Remediation
The following are guidelines for working with script-initiated window calls:
For windows opened by using window.open:
- Expect the status bar to be present, and write your code accordingly. The status bar is On by default and is 20-25 pixels in height.
- Adjust your window's size and content so that it fits well visually with the window's overall size. The window does not cover the taskbar, so it might lose 40 pixels if the status bar is On and you do not account for the taskbar. Vertically size the window no more than 30 pixels outside the taskbar.
- Do not open windows off-screen. Internet Explorer moves windows by the smallest offset of x- and y-coordinates, enabling the window to fully display onscreen.
- When designing, you must consider how the display theme, the font size, and the resolution impact the display of the window.
Note Using the window.open method with fullscreen=yes
results in a maximized window, not a kiosk mode window.
For windows opened by using window.createPopup:
- Adjust your window's size and content so that it fits well visually with the window's overall size. With this new feature, the window does not cover its parent window's title bar or status bar, so it might lose 40 pixels if you do not account for the title and status bars. Vertically size the window no larger than the currently visible area of the page.
- Do not open chromeless windows outside of the HTML rendering surface of Internet Explorer. Internet Explorer moves windows by the smallest offset of x- and y-coordinates, allowing the window to fully display inside the client area. Important There is one exception: Up to half of the window can exist outside the left or right edge of the Internet Explorer client area.
- When designing, you must consider how the display theme, the font size, and the resolution impact the display of the window.
By default, sites in the Local Intranet and Trusted Sites zones enable windows to open and to create pop-up windows. When developing an extranet Web application, you might be able to configure your user's browsers to add the website to one of these zones.
You may also disable this feature through feature control keys.
Security Warning: Disabling this feature exposes the browser to possible attacks-including spoofing. The visible security features of Internet Explorer windows, like the status bar, provide information to help users to determine the source and the security level of a webpage. If there are hidden security elements, users might believe they are on a trustworthy page or are interacting with a system process instead of a malicious host. Malicious use of window relocation can present false information to the user, obscure important information, or otherwise spoof important elements of the user interface in an attempt to motivate the user to take unsafe actions or to divulge sensitive information.
Disabling the feature should only be used as a temporary measure during troubleshooting-to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.
You manage the Window Restrictions with a security feature control registry key (FEATURE_WINDOW_RESTRICTIONS). Internet Explorer (Iexplore.exe) and Windows Explorer (Explorer.exe) run under this feature control by default. The following list shows the registry keys and enabled processes:
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
SOFTWARE
Microsoft
Internet Explorer
Main
FeatureControl
FEATURE_WINDOW_RESTRICTIONS
iexplore.exe = 0x00000000
This feature can also be controlled by the following group policy:
GPO Policy Path | GPO Policy Setting Name | GPO Settings |
---|---|---|
Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions | Internet Explorer Processes | If you enable this policy setting, popup windows and other restrictions apply for Windows Explorer and Internet Explorer processes. If you disable this policy setting, scripts can continue to create popup windows and windows that hide other windows. If you do not configure this policy setting, popup windows and other restrictions apply for Windows Explorer and Internet Explorer processes. |
Applications that host the WebBrowser control can also take advantage of the security feature control, by adding their process to the same registry locations. You can do this programmatically, by using the CoInternetSetFeatureEnabled function.
Note If an application does not run under this security feature control, the WebBrowser control behaves the same as previous versions of Internet Explorer.